Marvin Christensen’s scientific contributions

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (2)


Data mining analysis of RTID alarms
  • Article

October 2000

·

85 Reads

·

190 Citations

Computer Networks

·

Marvin Christensen

·

Dan Zerkle

·

IBM's emergency response service provides real-time intrusion detection (RTID) services through the Internet for a variety of clients. As the number of clients increases, the volume of alerts generated by the RTID sensors becomes intractable. This problem is aggravated by the fact that some sensors may generate hundreds or even thousands of innocent alerts per day. With an eye towards managing these alerts more effectively, IBM's data mining services group analyzed a database of RTID reports. The first objective was an approach for characterizing the “normal” stream of alerts from a sensor. Using such models tuned to individual sensors, we then developed a methodology for detecting anomalies. In contrast to many popular approaches, the decision to filter an alarm out or not takes into consideration the context in which it occurred and the historical behavior of the sensor it came from. Our second objective was to identify all the different profiles of our clients. Based on their history of alerts, we discovered several different types of clients, with different alert behaviors and thus different monitoring needs. We present the issues encountered, solutions, and findings, and discuss how our results may be used in large-scale RTID operations.


A Data Mining Analysis of RTID Alarms.
  • Conference Paper
  • Full-text available

January 1999

·

790 Reads

·

127 Citations

IBM's emergency response service provides real-time intrusion detection (RTID) services through the Internet for a variety of clients. As the number of clients increases, the volume of alerts generated by the RTID sensors becomes intractable. This problem is aggravated by the fact that some sensors may generate hundreds or even thousands of innocent alerts per day. With an eye towards managing these alerts more effectively, IBM's data mining services group analyzed a database of RTID reports. The first objective was an approach for characterizing the “normal” stream of alerts from a sensor. Using such models tuned to individual sensors, we then developed a methodology for detecting anomalies. In contrast to many popular approaches, the decision to filter an alarm out or not takes into consideration the context in which it occurred and the historical behavior of the sensor it came from. Our second objective was to identify all the different profiles of our clients. Based on their history of alerts, we discovered several different types of clients, with different alert behaviors and thus different monitoring needs. We present the issues encountered, solutions, and findings, and discuss how our results may be used in large-scale RTID operations.

Download

Citations (2)


... The frequency of alarms depends on how the IDS is configured, i.e., which rules are set to trigger an alarm. In practice, most of the alarms raised by IDSes are false alarms; typical IDS false alarm rates are above 90% with many as high as 99% [Julisch, 2003, Manganaris et al., 2000. Axelsson [2000] raises the issue of the base rate fallacy, stating that the ratio of actual attacks to benign traffic is so low that IDSes must be extraordinarily accurate to have acceptable detection performance. ...

Reference:

A Controlled Experiment on the Impact of Intrusion Detection False Alarm Rate on Analyst Performance
Data mining analysis of RTID alarms
  • Citing Article
  • October 2000

Computer Networks

... This is done to determine when a micro-pattern appears in a sequence. The use of this threshold is justified since it is difficult for an entire micro-pattern to appear exactly in the new sequence, given the variability of behaviour (see [14, 15]). Test the initial micro-patterns with new sequences (this time with positives and negatives). ...

A Data Mining Analysis of RTID Alarms.